cross-posted from: https://lemmy.ml/post/12400033 (Thank you https://lemmy.ml/u/Kory !)

I first used Linux about 5 years ago (Ubuntu). Since then, I have tried quite a few distros:

Kali Linux (Use as a secondary)

Linux Mint (Used for a while)

Arch Linux (Could not install)

Tails (Use this often)

Qubes OS (Tried it twice, not ready yet)

Fedora (Current main)

For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use. I really enjoy the GNOME desktop environment, and I am most familiar with Debian. My issue with Fedora is the lack of proper sandboxing, and it seems as though Qubes is the only one that really takes care in sandboxing apps.

Apologies if this is the wrong community for this question, I would be happy to move this post somewhere else. I’ve been anonymously viewing this community after the Rexodus, but this is my first time actually creating a post. Thank you!

UPDATE:

Thank you all so much for your feedback! The top recommended distro by far was SecureBlue, an atomic distro, so I will be trying that one. If that doesn’t work, I may try other atomic distros such as Fedora Atomic or Fedora Silverblue (I may have made an error in my understanding of those two, please correct my if I did!). EndeavourOS was also highly recommended, so if I’m not a fan of atomic distros I will be using that. To @leraje@lemmy.blahaj.zone, your suggestion for Linux Mint Debian Edition with GNOME sounds like a dream, so I may use it as a secondary for my laptop. Thank you all again for your help and support, and I hope this helps someone else too!

  • @Pantherina@feddit.de
    link
    fedilink
    29 months ago

    Yeah know that deleting post fun. Jerboah is very good at recovering them.

    Bubblejail just got an update that should fix DNS on Fedora! Just has to arrive in Secureblue (rusty-snakes fedora-extras, qoijjjs fork, COPR)

    If you use your GPU that model is fingerprintable through WebGL stuff. There is a firefox addon that spoofs random values though. Same for screen size.

    Yes, secure projects are nice, if they do something then right.

    Yes a Pixel is less trackable than some random phone. But still, trackable. Letterboxing and software rendering could be needed by people.

    Secureblue does not implement privacy over security, but if patches make a browser stay just as securely I think that would be fine.

    The thing is, for example we had some arguments about manifest v2 extensions (which can download stuff they then use, i.e. no control by Google and thus “less secure”). If Chromium does things like Connect to Google for security stuff like Safe Browsing, this will totally not be removed.

    Also you can install any browser you like, just not Firefox (as that is override-removed). I have a PR open to make Librewolf work with hardened-malloc, hope they react soon…

    Secureblue is not GrapheneOS too. It is just a (huge) compilation of patches and patched images. Basically every Desktop with Wayland support, currently 86 (!!!) images.

    Doing something like hardened degoogled Chromium with sync capabilities would happen outside of the project.

    • @Throwaway1234@sh.itjust.works
      link
      fedilink
      19 months ago

      Yeah know that deleting post fun. Jerboah is very good at recovering them.

      TIL about Jerboa. Thank you!

      If you use your GPU that model is fingerprintable through WebGL stuff. There is a firefox addon that spoofs random values though. Same for screen size.

      IIRC, so-called ‘naive scripts’ will indeed be spoofed. However, it has been shown at great length that JavaScript is not even required to to acquire screen size in the first place. Furthermore, methods that rely on badness enumeration are deemed inferior.

      Secureblue does not implement privacy over security, but if patches make a browser stay just as securely I think that would be fine.

      That would require someone to put effort into showing that ungoogled-chromium is at least as secure as Chromium. Is that even established in the first place?

      The thing is, for example we had some arguments about manifest v2 extensions (which can download stuff they then use, i.e. no control by Google and thus “less secure”). If Chromium does things like Connect to Google for security stuff like Safe Browsing, this will totally not be removed.

      Perhaps the desire to minimize attack surface is what’s been decisive.

      Secureblue is not GrapheneOS too. It is just a (huge) compilation of patches and patched images. Basically every Desktop with Wayland support, currently 86 (!!!) images.

      Surely, it would take a lot more effort to get it to GrapheneOS levels. However, I don’t find any fault with the desire to be inspired from GrapheneOS’ methods and implementations.

      • @Pantherina@feddit.de
        link
        fedilink
        29 months ago

        Yeah for sure the not-badness-enumeration approach would be to not use the GPU and set a defined screen size and pixel density.

        ungoogled chromium is likely less secure, no 1 is to have regular updates. With CI/CD those patches should be applied automatically. Would be a cool project but not for me, I prefer Firefox.

        • @Throwaway1234@sh.itjust.works
          link
          fedilink
          19 months ago

          Thanks for the conversation! 😊

          Yeah for sure the not-badness-enumeration approach would be to not use the GPU and set a defined screen size and pixel density.

          Hopefully one day.

          ungoogled chromium is likely less secure, no 1 is to have regular updates.

          Agreed.

          With CI/CD those patches should be applied automatically. Would be a cool project but not for me, I prefer Firefox.

          Hehe, fair.